Running a business brings some big rewards but also comes with many responsibilities, from managing taxes to invoicing. One of these obligations is being compliant with the required payment regulations and standards, which is crucial for protecting your business and customer trust.
The Payment Card Industry Data Security Standard version 4.0 (PCI DSS 4.0), the latest update to card payment security standards, introduces a new wave of requirements that businesses must meet before the deadline.
In this guide, we'll simplify what these updates mean to your business and offer insights into how you can make sure you’re compliant and ready come the 31st of March 2024.
Before diving into the specifics of PCI DSS 4.0 phase 1 compliance, let’s rewind and break down what PCI DSS is.
PCI DSS stands for Payment Card Industry Data Security Standard and is a set of 12 core security standards created to protect sensitive cardholder data. The first version of PCI DSS was launched in 2004 by the Payment Card Industry Security Standards Council (PCI SSC). The PCI SSC is made up of representatives from major credit card companies, including Visa, Mastercard, and American Express.
PCI DSS aims to reduce the risk of data breaches and fraud in payment card transactions, and it applies to all businesses that process card payments or store card data. Essentially, if you process card payments, you have to be compliant with the PCI DSS standards; otherwise, you could be fined and put your customers’ card information at risk.
PCI DSS 4.0 was officially published in March 2022 and represents the latest iteration of security standards, introducing 63 new changes to address evolving security threats and technological advancements.
Some of the changes were brought in with immediate effect, but most businesses have until the 31st of March 2024 to comply with the first phase of 13 new requirements. A second phase gives businesses until 31st March 2025 to meet the rest of the requirements.
The last version of PCI DSS was v3.2.1, which will be retired at the end of March 2024 to allow v4.0 to come into full effect.
So, to get your business compliant with phase one of PCI DSS 4.0, you’ll need to know what’s new. We’ve pulled together a summary of some of the key changes, and John Clark, Product Manager here at takepayments, talks us through them:
Firstly, v4.0 redefines some of the terminology used within the standards. For example, the PCI DSS Summary of Changes states that ‘cardholder data’ has been updated to ‘account data’ to better align with today’s usage and intent.
“PCI DSS was initially launched in 2004, and things have changed a lot since then. Technology has come a long way, and so have the ways that people like to pay. Things like contactless, biometric payments, and Buy Now, Pay Later didn’t exist in the first iteration. So, the security council had to recognise the advancements and accommodate for them – as well as future-proof the standard for new developments,” says John. “Amending the terminology is a sign of the PCI DSS accounting for the latest payment processes, methods, and security architectures.”
Multi-factor authentication (MFA) is a core security protocol that helps reduce card payment fraud and v4.0 states that MFA must be rolled out across all cardholder data environments (CDE). CDE refers to any person, process, or technology used to store, process, or transmit cardholder or authentication data.
“Making MFA a mandatory security protocol across all accounts in the CDE will help to strengthen any gaps where vulnerabilities could occur, helping to reduce security risks,” says John.
The PCI DSS v4.0 has also changed password requirements, requiring all password counts to be upped from seven to twelve letters. They must also include a number, upper and lower case letters, and a special character.
“Lengthier and more complex passwords may cause some friction for user experience, but they’ll be much more difficult for scammers to gain access to – which is the aim of the PCI DSS standard.”
While many areas of the PCI DSS have been tightened to reduce security gaps, organisations have more flexibility in v4.0 around how they want to comply. Businesses can take one of two approaches to implement the standard:
“Not all businesses operate the same, so giving them a choice on how they want to approach the new standard can help them to apply the new measures in a way that best suits them,” states John. “Businesses are offered even more flexibility in that they can use a mixture of both the defined and customised approach if needed.”
“This flexibility in how businesses approach compliance is an overarching theme to the latest PCI DSS version. V4.0 moves away from a strict checklist assessment to encouraging organisations to establish procedures that focus on long-term compliance,” explains John. “Card security has never been more important, and making PCI DSS compliance a cornerstone of everyday processing puts businesses on the path to establishing it as a prerequisite rather than an afterthought.”
The PCI DSS outlines four different merchant levels that are defined by the total amount of transactions that a business processes each year. Each business’s level of compliance is dictated by which merchant level they fall into.
The merchant levels are:
Mastercard | Visa | American Express (AmEx) | Discover Global Network (DGN) | JCB | |
Level 1 | Over 6 million transactions | Over 6 million transactions | Over 2.5 million transactions | Over 6 million transactions | Over 1 million transactions |
Level 2 |
1-6 million transactions | 1-6 million transactions | 50,000-2 million transactions | 1-6 million transactions | Less than 1 million |
Level 3 | 20,000-1 million e-commerce transactions | 20,000-1 million e-commerce transactions | 10,000-50,000 transactions | Up to 1 million transactions of any type | - |
Level 4 | Less than 20,000 e-commerce transactions OR up to 1 million total transactions | Less than 20,000 e-commerce transactions OR up to 1 million total transactions | Less than 10,000 transactions | - | - |
Compliance varies with each merchant level, but those in Level 1 will have the strictest regulations to comply with. Merchants that have been the subject of data breaches can also be categorised as Level 1, despite meeting the transaction threshold requirements.
Some of the regulations for Level 1 compliance include:
To know where you need to brush up to meet v4.0 regulations, you’ll need to conduct a gap analysis or audit. Large corporations and merchants in Level 1 must have a Compliance audit performed by a QSA or ISA. Smaller businesses, or those in Level 4, who accept card payments must complete a PCI Compliance Self-Assessment Questionnaire (SAQ).
The SAQ must be signed by a member of the business and submitted to the acquiring bank yearly.
Level 1 businesses may have in-house teams that look after their PCI DSS compliance process, but those in Level 4 may benefit from third-party help to make sure they’re following all the right regulations.
“At takepayments, our dedicated Security+ offering is on-hand to ensure merchants can receive the support they need to meet PCI DSS 4.0 compliance,” explains John.
“Our team of experts understand how the latest version of the standards affects smaller businesses and the unique challenges that they face, so they can provide tailored guidance in line with the latest requirements. With Security+, we make the transition smooth and take care of it all so merchants can focus on the day-to-day running of their businesses.”
While the PCI Security Standards Council sets the PCI DSS, the Council members enforce the regulations. These are American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc.
And it’s these acquiring banks that impose strict fines on merchants if they fail to comply.
Fines vary depending on the acquirer, but businesses could receive a hefty fine of up to $100,000 (roughly £80,000) each month until they become compliant. The amount of customers and transactions a business processes and the severity of the non-compliance will also impact the penalty.
“Along with a PCI DSS fine, merchants may also be penalised by their acquirer for being non-compliant and face monthly non-compliance fees,” explains John. “ Here at takepayments, we go through this process with you as part of our Security+ offering.”
“However, the biggest threat to businesses if they fail to meet PCI DSS regulations is that they could be vulnerable to a data breach, and their customers’ sensitive information won’t be protected should they suffer a card data loss. And this could cause hugely detrimental damage, far greater than any fines.”
“Small businesses should contact their acquirer to find out their standards for compliance, as each acquirer may set different requirements,” says John.
“Merchants don’t have to pay to transition to PCI DSS 4.0, as they can choose to make changes to follow the guidelines themselves. However, hiring a third-party professional or service provider to consult can help businesses to comply correctly. Our Security+ offering gives guidance to ensure that merchants adhere to the necessary standards and could hugely minimise the risk of non-compliance.”
“The core aim of the PCI DSS is to protect customer card data from unauthorised use or falling into the wrong hands, so businesses adhering to the latest 4.0 regulations could benefit from more secure and stronger security measures when processing card payments,” John says.
It’s estimated that a cyber attack happens on average every 39 seconds, and there were over 364 million reports of data breaches or leaks in 2023. With cybercrime becoming one of the most important global risks to businesses, implementing the proper safeguards to keep customer data safe has never been more pivotal.
The proper storage of your customer’s data isn’t the only benefit of abiding by PCI DSS 4.0. Data breaches can be costly to rectify, which can be a massive hit for small businesses. Plus, it can affect a merchant’s reputation and potentially damage consumer confidence.
“Security+ not only advises on PCI DSS requirements, but it also provides guidance on how merchants can protect against active security threats. We send out regular updates on how small businesses can stay safe and what precautions they can take to limit the chances of cyber attacks causing long-lasting damage.”
With our Security+ package, we can support you with your PCI compliance and help you understand how to keep your payments safe and secure. Get in contact with us today to help keep your business and customers protected.
Or, you can find the latest card machines or POS system to process transactions safely and securely.